java security12 articles
Security matters! Learn how to configure Vaadin and Spring Security to use OAuth2 with Keycloak on Foojay.io Today!
How to do password hashing in Java applications the right way!
There are multiple ways to store sensitive passwords. And while having choices can be great, in the context of password storage, picking wrong can be a security nightmare. With that in mind, let’s hash out some of your options 🥁🥁.In this article …
Spring Remote Code Execution Vulnerability
I’d like to start by saying that I’m not a security expert. I also won’t link to the exploit. This is a very fresh take on a new vulnerability but there’s already confirmation from Sonatype. The current exploit seems to …
Quick Fire Java: Java After Log4j
Watch a 10 minute discussion on Log4j, security processes and prioritization, and how Payara dealt with the vulnerability.
Detecting, Investigating and Verifying Fixes for Security Incidents and Zero Day Issues Using Lightrun
Learn about major milestones in app security: finding the issue, evaluating a breach, proving it, and validating the fix!
PSA: The Risks of Remote JDWP Debugging
Java Debug Wire Protocol (a.k.a. JDWP) was designed for testing internally. Opening it to production is a HUGE security and stability risk…
SolarWinds Hack And The Executive Order Of Cybersecurity: What Does This Mean For Us?
In the past two years, we have had to learn a lot about cybersecurity. New attack vectors are becoming more and more sophisticated and are directed more and more against the value chain in general.
But what does that mean for us? What can be done about it, and what reactions have the state already taken?
SAST, DAST, IAST and RASP
In this article, we’re going to look at the differences between the various cybersecurity defence techniques.
My personal opinion on these different approaches is that if you start with DevSecOps or security in IT in general, the SAST approach makes the most sense. This is where the greatest potential threat can be eliminated with minimal effort.
Here you can identify four main groups, which we will go through briefly one after another to illustrate the advantages and disadvantages.
CVSS 101: First Steps with Common Vulnerability Scoring System
What is the Common Vulnerability Scoring System (CVSS), who is behind it, what are we doing with it, and what does a CVSS Value mean for you?
With CVSS, we have a value system for evaluating security gaps in software. Since there are no alternatives, the system has been in use worldwide for over ten years and is constantly being developed, it is a defacto standard.
The evaluation consists of three components.
Java Encryption and Hashing
If you need to store sensitive data in your system, you have to be sure that you have proper encryption in place.
First of all, you need to decide what kind of encryption you need —for instance, symmetric or asymmetric.
Also, you need to choose how secure it needs to be. Stronger encryption takes more time and consumes more CPU.
The most important part is that you don’t need to implement the encryption algorithms yourself. Encryption is hard and a trusted library solves encryption for you.
Changing a Field’s Type in Recent JDKs
A couple of years ago, I attended a talk by my former colleague (but still friend) Volker Simonis. It gave me the idea to dig a bit into the subject of how to secure the JVM. From the material, I created a series of blog posts as well as a talk.
From that point on, I submitted the talk at meetups and conferences, where it was well-received. Because I like to explore different areas, I stopped to submit other proposals. Still, the talk is in my portfolio, and it was requested again in 2021. I have already presented it twice since the beginning of the year at the time of this writing.
It allowed me to update the demo with version 16 of the JDK. In this blog post, I want to share some findings regarding the security changes regarding changing a field’s type across JDK versions.